Xentrk
Part of the Furniture
That is now urban legend from what I understand.
You should be fine.How to Dynamically Ban Malicious IP's using IPSet (Martineau version)
- Thread starter Martineau
- Start date
You should be fine.
Jack Yaz
Part of the Furniture
Ah OK, I read it here: https://github.com/RMerl/asuswrt-merlin/wiki/JFFS
Xentrk
Part of the Furniture
Correct. In a prior discussion this week, Merlin stated that changes to the Administration-System page will cause this behavior.
Xentrk
Part of the Furniture
Ah yes. I think the caveat is high volume activity files. Best to put those on USB drives.
I recommend reading thru the wiki if you are new to ASUS Merlin. This page will help you understand the scripts and their purpose. https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
Jack Yaz
Part of the Furniture
Yes been reading plenty and got a few scripts going. Didn't know if writing out to the Blacklist would constitute high volume activity. I have a 500gb USB HDD plugged in, may reformat it to ext4 using this guide: http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers, with an additional 3rd partition of 2GB to store script outputs.
Xentrk
Part of the Furniture
I would get a smaller usb drive and use it for this purpose and plug it into the USB2 port. Keep the other one for client backups or as a poor man NAS solution.
I have a two GB USB drive in my USB2 port with two partitions (one for ab-solution and the other for entware) with ext2 format and a 1TB NTFS in on the USB3 port. I turned off the router and removed the existing 2GB USB Drive (after I uninstalled ab-solution)which I recommend highly BTW.
I used a free software called Mini Parition Tool on my win 10 laptop. I first reformatted the entire USB as NTFS with the label name of my router e.g. RT-AC88U-1234. There is an option to split the partitions in half. So now I have two partitions of 1 GB each formatted as NTFS. I then took one of them and split that one it in half. I now have 3 partitions as NTFS. With the tool, you can now reformat and label each partition. I left the partition labeled as my router name alone as I am using that for the IPSET_Block.sh script. entware and absolution don't require that much space. 500mb each is plenty. So, I took one of the second NTFS partitions I had split in half, right clicked and choose format. I labeled it as absolution with ext2 format. I repeated the same for the other and labeled it entware. I then applied the changes. I have done formatting and labeling using both the Linux command line and tools. But the gui interface of the Mini Tool Partition wizard is so much easier. I had to reinstall ab-solution and entware when done and other packages. I then plugged the drive into the USB 2 port, turned on the router. I have SSH enabled. So I logon, and navigate to /tmp/mnt. I do a ls command and see the three partitions I created as directories: entware, absolution and RT-AC88U-1234.
Hope this helps!
swetoast
Guest
amplatfus
Senior Member
Hi,
Let me share my case. I have successful blocks and banned some IP, but hacker ports report is empty.
Please help me to understand why hacker ports report is emty or how to test that is working.
Thank you for your help. [emoji4]
Sent from my ONE A2003 using Tapatalk
Let me share my case. I have successful blocks and banned some IP, but hacker ports report is empty.
Please help me to understand why hacker ports report is emty or how to test that is working.
Code:
root@router:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 28277 v3.05 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
Summary Blacklist: 40627 Successful blocks! ( 125 IPs currently banned - 652 added since: May 4 11:06 ), Entries auto-expire after 168:00:00 hrs
(HackerPorts.sh): 28352 v2.02 Hacker Port attacks Report starting.....
Thu May 4 22:16:02 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 19:43:04 - May 4 22:16:02
Top 3 Ports attacked:
Top 3 attackers:
Last 3 most recent attackers:Sent from my ONE A2003 using Tapatalk
Martineau
Part of the Furniture
I don't think any deserve any thanks given my rubbish script!
Could you please try these diagnostic commands and post the output
Code:
iptables -V
iptables -S logdrop
iptables --line -nvL logdrop
iptables -S Blacklist
iptables --line -nvL Blacklist
iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block "
iptables -S Blacklist
iptables --line -nvL Blacklist
grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l
grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l
Code:
./IPSET_Block.sh
Last edited:
Xentrk
Part of the Furniture
You deserve a lot of thanks. In fact, I would send you a PayPal donation if you let me know how. I really appreciate the script and the support you provide on the forum.I don't think any deserve any thanks given my rubbish script!
octopus
Part of the Furniture
We all love your script and effort to help people.
swetoast
Guest
I don't think any deserve any thanks given my rubbish script!
try and try again, welcome to the wonderful world of maintaining.
amplatfus
Senior Member
I can say that you deserve at least thanks and even more for all your time and passion invested.
Please find below my output and please share your thoughts.
Many thanks!
Please find below my output and please share your thoughts.
Many thanks!
Code:
ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017
root@rooter:/tmp/home/root# iptables -V
iptables v1.4.14
root@rooter:/tmp/home/root# iptables -S Blacklist
-N Blacklist
-A Blacklist -m state --state NEW -j SET --add-set Blacklist src
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block "
root@rooter:/tmp/home/root# iptables --line -nvL Blacklist
Chain Blacklist (4 references)
num pkts bytes target prot opt in out source destination
1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src
2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
3 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
4 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 1 level 4 prefix "Block "
5 38 19589 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 0 level 4 prefix "Block "
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block "root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l
0
root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l
0
root@rooter:/tmp/home/root# cd /jffs/scripts
root@rooter:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 19491 v3.05 [emoji767] 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
Summary Blacklist: 60321 Successful blocks! ( 777 IPs currently banned - 762 added since: May 4 22:16 ), Entries auto-expire after 168:00:00 hrs
(HackerPorts.sh): 19566 v2.02 Hacker Port attacks Report starting.....
Fri May 5 11:14:22 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 5 10:04:53 - May 5 11:14:22
Top 3 Ports attacked:
Top 3 attackers:
Last 3 most recent attackers:
[\code]
Sent from my ONE A2003 using TapatalkMartineau
Part of the Furniture
OK, I really appreciate you taking the time to assist in debugging.
So 'IPSET_Block.sh init' has executed correctly as clearly it appears it has ensured 12,215 "Block IN=" LOG messages were created (before the manual duplication of the 3 "Block" LOG rules you added!)
Code:
Chain Blacklist (4 references)
num pkts bytes target prot opt in out source destination
1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src
2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "So could you please assist further by issuing the following and post the output.
Code:
tail /tmp/syslog.log
grep -E "Block.*" /tmp/syslog.log | tailamplatfus
Senior Member
Thanks. Please find below the output step 2:
Sent from my ONE A2003 using Tapatalk
Code:
ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017
root@rooter:/tmp/home/root# tail /tmp/syslog.log
May 5 12:38:14 kernel: Block IN=ppp0 OUT= MAC= SRC=190.175.29.142 DST=79.115.188.148 LEN=40 TOS=0x14 PREC=0x00 TTL=45 ID=43374 PROTO=TCP SPT=3802 DPT=22 WINDOW=38691 RES=0x00 SYN URGP=0
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:17 dropbear[32579]: Child connection from 10.8.0.2:52705
May 5 12:38:18 dropbear[32579]: Password auth succeeded for 'stoic' from 10.8.0.2:52705
root@rooter:/tmp/home/root# grep -E "Block IN=" /tmp/syslog.log | tail
May 5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556Sent from my ONE A2003 using Tapatalk
Martineau
Part of the Furniture
It appears the issue is with parsing the syslog lines on your system.
Unfortunately I don't get a correct report when attempting to parse the lines of Syslog you provided, but this may be simply because of the 3 LOG rules that were temporarily added.
Can you delete rules 5,4 and 3 from the Blacklist chain ?
Code:
iptables --line -nvL Blacklist
Chain Blacklist (4 references)
num pkts bytes target prot opt in out source destination
1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src
2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
3 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
4 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 1 level 4 prefix "Block "
5 38 19589 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 0 level 4 prefix "Block
iptables -D Blacklist 5
iptables -D Blacklist 4
iptables -D Blacklist 3...then patch LINE:157 in the HackerPorts.sh script: (basically text string \SEQ is replaced by [A-Z] )
Code:
grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" \
change to
grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*[A-Z]" \and retry the report ?
Last edited:
amplatfus
Senior Member
Yes. I edited line 157 in HackerPorts.sh and deleted d iptables. Here it is:It appears the issue is with parsing the syslog lines on your system.
Unfortunately I don't get a correct report when attempting to parse the lines of Syslog you provided, but this may be simply because of the 3 LOG rules that were temporarily added.
Can you delete rules 5,4 and 3 from the Blacklist chain ?
Code:iptables --line -nvL Blacklist Chain Blacklist (4 references) num pkts bytes target prot opt in out source destination 1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src 2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block " 3 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block " 4 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 1 level 4 prefix "Block " 5 38 19589 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 0 level 4 prefix "Block iptables -D Blacklist 5 iptables -D Blacklist 4 iptables -D Blacklist 3
...then patch LINE:157 in the HackerPorts.sh script: (basically text string \SEQ is replaced by [A-Z] )
Code:grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" \ change to grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*[A-Z]" \
and retry the report ?
Code:
root@rooter:/jffs/scripts# iptables -D Blacklist 5
root@rooter:/jffs/scripts# iptables -D Blacklist 4
root@rooter:/jffs/scripts# iptables -D Blacklist 3
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 27736 v2.02 Hacker Port attacks Report starting.....
Fri May 5 15:36:20 DST 2017 Statistics: Total Unique Ports attacked: 1 (out of 429 attempts) tracked using SYSLOG between May 5 15:21:19 - May 5 15:36:20
Top 10 Ports attacked:
429 http://www.speedguide.net/port.php?port=67 e.g. https://dnsquery.org/ipwhois/0.0.0.0
Top 10 attackers:
1 https://dnsquery.org/ipwhois/0.0.0.0
Last 10 most recent attackers:
https://dnsquery.org/ipwhois/0.0.0.010q
Sent from my ONE A2003 using Tapatalk
Martineau
Part of the Furniture
So finally the report is now actually listing 'attack' attempts!
Unfortunately the simple Regexp patch breaks the script on my RT-AC68U 380.66Beta1
Regexp is always a challenge for me but I'll investigate further.
I did think it was strange that '0.0.0.0' appears a lot on your system to port 67.
If you look at LINE:381 you can see I considered restricting the tracking to only the WAN interface but changed my mind for the public release.
Code:
# WAN only or ALL interfaces BRx / tun1x etc. ?
#if [ $WAN_ONLY ];then
#iptables -I INPUT $RULENO -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist # WAN only
#else
iptables -I INPUT $RULENO -m state --state INVALID -j Blacklist # ALL interfaces
#fiFeel free to uncomment/swap the lines to force the tracking of only WAN port blocks, but I suspect the alternative rule will still report 0.0.0.0 unless explicitly excluded.
P.S. I don't see o.o.o.o on my RT-AC68U.
I suggest you leave it for 24hrs to see if your custom patched script eventually reports on ports other than 67 and from external IP addresses.
NOTE: I've also spotted that the top 3 Ports 'attacked' differs when the 'num=nn' is used
Basically LINE:187 in the HackerPorts.sh script: should be reversed
Code:
head -n $TOPX $LOGFILE".tmp" | sort -nr >> $LOGFILE.new
change to
sort -nr $LOGFILE".tmp" | head -n $TOPX >> $LOGFILE.newAgain, many thanks for your patience and time in providing the diagnostics and debugging.
amplatfus
Senior Member
I thank you, big one! For me it was a pleasure.
I have a little question: I have the FTP 21 port open.
I have tried to enter wrong password from my mobile LTE connection to FTP many times per minute (in order to block that external IP) and I could still login immediately.
This solution will protect somehow this port even is open?
Thank you!
Sent from my ONE A2003 using Tapatalk
I have a little question: I have the FTP 21 port open.
I have tried to enter wrong password from my mobile LTE connection to FTP many times per minute (in order to block that external IP) and I could still login immediately.
This solution will protect somehow this port even is open?
Thank you!
Sent from my ONE A2003 using Tapatalk
I think this addition and some of the Trend Micro Network AIprotection may get in each other's way, specifically Malicious Sites Blocking and Vulnerability Protection. At least I get some different error messages when I run the script and have those on. I have had a hard time finding out exactly what and how those work. Does this script attempt to do the same thing? Can they both run?
rearden
rearden
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
|
How I can dynamically manage VPN director rules list by CLI | Asuswrt-Merlin | 0 |
Similar threads
-
How I can dynamically manage VPN director rules list by CLI
- Started by devhell
- Replies: 0
Latest threads
-
-
AdGuardHome Use DNS encryption automatically via AdGuard DHCP server
- Started by Milan
- Replies: 1
-
-
Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root- Started by PR3MIUM
- Replies: 0
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!